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The security of Internet-enabled wireless communications devices (e.g., third generation [3G] 
wireless devices) is an issue of obvious importance to the wireless industry, the private sector, 
and the Government. Recent exploitations of particular vulnerabilities in Internet-enabled 
wireless communications devices have resulted in increased public awareness of this problem. 
One publicized exploitation involved the launching of a denial of service attack on the Japanese 
equivalent of the U.S. emergency 911 system. In this instance, NTT DoCoMo users 
unknowingly dialed the emergency system when an appellate was executed on their wireless 
devices. These types of attacks could pose a serious threat to the availability and security of 
national security and emergency preparedness (NS/EP) communications networks. 

At a December 2, 2002, Industry Executive Subcommittee (lES) task force briefing, 

Mr. Richard Clarke, Chair, the President’s Critical Infrastructure Protection (CIP) Board, 
requested that the President’s National Security Telecommunications Advisory 
Committee’s (NSTAC) Wireless Task Eorce (WTE) consider examining the security of 
Internet-enabled wireless communications devices and the efficacy of installing anti-virus 
software for wireless telephones, since such devices are becoming increasingly more integrated 
with computing functions. In response to the Administration’s request, the Task Eorce scoped 
the issue, receiving briefings regarding industry solutions for addressing this issue from 
Bank of America, and the Cellular Telecommunications & Internet Association. 

In scoping the issue, the WTE made the following observations: 

> The security of Internet-enabled wireless communications devices is a serious issue, 
yet the problem is not limited exclusively to “wireless” or “3G” wireless devices; any 
device connected to the Internet can be attacked. Any device connected to a 
distributed network is vulnerable to malicious code (e.g., Trojan horses, viruses, etc.). 

Eor example, there have been reported attacks on the emergency 911 system through 
WebTV devices that are connected to the Internet, but are not wireless. 

> The security of Internet-enabled communications devices is not a new issue. While 
recent attacks have targeted advanced wireless devices, similar attacks have been 
executed on other user devices and network applications in the past. The Government 
and industry have been aware of network vulnerabilities related to the convergence of 
telecommunications networks and the Internet for years, and have worked together to 
develop solutions. 

> The problem currently affects the application layer, not the network layer; network 
safeguards are in place and attacks have been focused on weaknesses in the specific 
platforms being used (e.g,, short messaging systems, I-mode, etc,). The safeguards 
found in the network layer provide adequate security for the switching and routing of data 
being transmitted via a certain protocol (e.g, Internet Protocol, etc.). Vulnerabilities at 
the application layer, where an application file or particular program connect to a 
communications protocol, have been exploited in Internet-enabled wireless devices. 
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> Solutions and responses to this problem have been reactionary; security is not 
sufficiently built-in for Internet-enabled devices. Industry has not had a coordinated 
response to this problem to date, but has added on seeurity solutions as problems have 
arisen. However, the commercial wireless seetor is in the early stages of eoordinating 
efforts to develop platform standards that address these issues. 

> This issue could affect the security and availability of the NS/EP communications 
infrastructure. As was seen in the attacks against the emergency 911 system and the 
potential for other types of attaeks through wireless deviees, there exists a substantial risk 
to the seeurity and availability of the NS/EP eommunieations infrastrueture. 

> Industry has been working this issue from a market-driven standpoint; application 
deployment is being deferred by carriers until they can ensure adequate security is 
in place. As seeurity of wireless networks has beeome a larger and more visible issue, 
the U.S. wireless industry has beeome more eautious and delayed the release of some 
2.5G and 3G wireless produets/applieations until adequate seeurity ean be assured. 

> The problem is international in scope and needs to be addressed in cooperation with 
international groups. The seeurity of Internet-enabled wireless eommunieations deviees 
and eonvergence issues have impaets outside of the United States. Any efforts to develop 
mitigation strategies, standards or best practiees must inelude regional standards 
organizations (e.g.. The European Teleeommunieations Standards Institute) and 
international organizations (e.g.. The International Teleeommunieation Union), as well as 
applieation developers and network operators. 

> The Government can take an increased role in helping focus solutions. The Task 
Eoree advises Eederal ageneies and departments to beeome more involved in the 
standards development proeess and help foeus solutions to ensure NS/EP requirements 
are considered. 

> The NSTAC may play a role to focus the issue; while that role is not currently clear, 
the lES should revisit this issue in the future. After scoping the issue, the WTE has 
not identified any new issues warranting study from a wireless perspeetive. 

The WTE reached the following eonclusion: 

> Although the initial tasking references wireless specifically, the NSTAC has worked 
on this larger issue as it relates to the convergence of telecommunications networks 
and the Internet. The NSTAC investigated and presented reeommendations regarding 
the convergenee of teleeommunieations networks and the Internet during past eyeles. In 
2001, for example, the NSTAC’s Convergenee Task Eoree examined the ability of the 
eonverged network to seeurely and reliably support NS/EP eommunieations 
requirements. At the January 23, 2003, lES Meeting, members agreed to keep abreast of 
new developments on this issue, but to defer eondueting any further study at this time. 
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